Our blog

Security-enabled business: Cloud Access Security Brokers

Blogs by author: Global Services, We’re a leading global business communications provider

More organisations are aware of productivity-boosting cloud applications, but few know how to use these securely. That’s where Cloud Access Security Brokers can help.

Clouds. Visibility, nil.

As organisations seek to benefit from the flexibility, convenience and cost-efficiency of the cloud, security is expanding out of the data centre. This leaves security decision-makers without visibility or control of cloud applications used in their organisation.

Security decision-makers currently have no insight into what’s happening in cloud applications. This means they must choose to either: allow cloud applications they can’t control, or block cloud applications outright — at the cost of employees’ ability to collaborate.

A risk of data loss.

Without cloud visibility, companies can’t answer questions like: “What cloud applications are being used by employees in the organisation?” Or: “How securely is data being stored within these applications?”

Controlling what sensitive information is allowed to be stored in the cloud, and who can access it, is fundamental to secure collaboration inside the organisation and with partners. Currently, organisations can’t extend data-loss prevention (DLP) capabilities into their cloud environments, so they’re at risk of data leaks.

Equally, organisations face difficulties with bring your own device (BYOD) and remote users, who require reliable, global access to corporate cloud applications, but work outside of the traditional security macro-perimeter.

Key challenges with cloud security.

Some of the main issues that organisations face when it comes to cloud security, are:

Visibility: organisations can’t ‘see’ sanctioned and unsanctioned cloud applications, so they have no visibility of the cloud applications used by employees within the organisation (or the risk associated with them).

Threats: whether from compromised accounts, insider threats and/or malware attempting to move data to and from the cloud, organisations are constantly at risk from cyber criminals.

What do Cloud Access Security Brokers (CASBs) provide?

Visibility: CASBs allow organisations to see which cloud applications are being used, the data transferred to and from them, and who the data’s shared with.

Risk assessment: with visibility achieved, CASB solutions provide a breakdown of the risks associated with each cloud application detected. Organisations can then define their sanctioned cloud applications based on dozens of factors, for example implementation of encryption for data at rest, last known data breach and legal agreements.

DLP: using either the API model or proxy approach, CASBs provide DLP functionality, so organisations can detect sensitive information being stored or transferred to the cloud. They can then quarantine, delete or encrypt it.

Threat protection: CASBs can identify suspicious behaviour, such as simultaneous logins from multiple geographic areas and large data exfiltration attempts, in addition to malware scanning data in the cloud.

Access control: using a CASB, it’s possible to control the devices and locations users can login from, and the applications they can login to. Authentication to Software-as-a-service (SaaS) applications can be stepped-up when required, or users can be redirected to sanctioned applications as dictated by company policy.

A CASB secures access to the cloud in many ways.

API connectors.

API connectors utilise the API functionality provided by SaaS providers such as Dropbox, Microsoft Office and Box View. They control and secure the data stored within your SaaS application.

Whenever an action’s performed in your cloud application, your CASB solution is notified and decides how to react. The benefit of the API connector approach is that it doesn’t require any footprint on user devices — the CASB solution interacts with SaaS applications from the cloud.

Forward proxies.

API connectors provide visibility and control for sanctioned SaaS applications, but how do you gain visibility and control for unsanctioned cloud applications?

CASBs use forward proxies to ensure all cloud application traffic goes through the CASB solution. This is achieved through:

on-premises appliances (virtual or physical) to route traffic from the premises to the cloud

client-side software or PAC files

domain name system (DNS) redirection.

While forward proxies provide control, they also increase friction by requiring additional configuration by users, either through proxy configuration or client installations.

Reverse proxies.

Reverse proxies redirect users trying to access sanctioned SaaS applications through the CASB service, regardless of where they try to access it from.

This is achieved by setting the CASB solution as the designated authentication source for the given SaaS application. The CASB solution then forwards the authentication request to the identity access management (IAM) system, but, crucially, forwards all future traffic through the CASB solution as well, allowing it to inspect traffic to and from the sanctioned SaaS application.

Log inspection.

In order to gain visibility of cloud usage throughout the organisation, proxy and firewall logs can be submitted to the CASB solution to provide a comprehensive analysis of cloud activity in the organisation.